ETSITS133 103V4.0.0
(2001-03)
Technical Specification
Universal Mobile Telecommunications System (UMTS);
3G Security;
Integration Guidelines
(3GPP TS 33.103 version 4.0.0 Release 4)
3!^^
3G PP TS 33. 1 03 version 4.0.0 Release 4 1 ETSI TS 1 33 1 03 V4.0.0 (2001 -03)
Reference
RTS/TSGS-03331 03Uv4
Keywords
UMTS
ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE
Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16
Siret N°348 623 562 00017 - NAF 742 C
Association a but non lucratif enregistree a la
Sous-Prefecture de Grasse (06) N° 7803/88
Important notice
Individual copies of the present document can be downloaded from:
http://www.etsi.orq
The present document may be made available in more than one electronic version or in print. In any case of existing or
perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF).
In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive
within ETSI Secretariat.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at http://www. etsi . o rq/tb/status/
If you find errors in the present document, send your comment to:
editor@etsi.fr
Copyright Notification
No part may be reproduced except as authorized by written permission.
The copyright and the foregoing restriction extend to reproduction in all media.
© European Telecommunications Standards Institute 2001.
All rights reserved.
£75/
3G PP TS 33. 1 03 version 4.0.0 Release 4 2 ETSI TS 1 33 1 03 V4.0.0 (2001-03)
Intellectual Property Rights
IPRs essential or potentially essential to the present document may have been declared to ETSI. The information
pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found
in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in
respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web
server (http://www.etsi.org/ipr ).
Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee
can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web
server) which are, or may be, or may become, essential to the present document.
Foreword
This Technical Specification (TS) has been produced by the ETSI 3' Generation Partnership Project (3GPP).
The present document may refer to technical specifications or reports using their 3GPP identities, UMTS identities or
GSM identities. These should be interpreted as being references to the corresponding ETSI deliverables.
The cross reference between GSM, UMTS, 3GPP and ETSI identities can be found under www.etsi.org/kev .
£75/
3GPP TS 33.1 03 version 4.0.0 Release 4 3 ETSI TS 1 33 1 03 V4.0.0 (2001 -03)
Contents
Foreword 4
1 Scope 5
2 References 5
3 Definitions, symbols, abbreviations and conventions 5
3.1 Definitions 5
3.2 Symbols 6
3.3 Abbreviations 7
3.4 Conventions 8
4 Access link security 8
4.1 Functional network architecture 8
4.2 User services identity module 9
4.2.1 Void 9
4.2.2 Authentication and key agreement (AKAusim) 9
4.3 User equipment 12
4.3.1 User identity confidentiality (UICue) 12
4.3.2 Data confidentiality (DCue) 13
4.3.3 Data integrity (DIue) 14
4.3.4 Void 16
4.4 Radio network controller 16
4.4.1 Data confidentiality (DCrnc) 16
4.4.2 Data integrity (D1„J 17
4.5 SN (or MSC/VLR or SGSN) 18
4.5.1 User identity confidentiality (UICsn) 18
4.5.2 Void 19
4.5.3 Authentication and key agreement ( AKAsn) 19
4.6 Home location register / Authentication centre 20
4.6.1 Authentication and key agreement (AKAhe) 20
4.7 Void 22
5 Void 22
6 Void 22
Annex A (informative): Change history 23
£75/
3GPP TS 33.1 03 version 4.0.0 Release 4 4 ETSI TS 1 33 1 03 V4.0.0 (2001 -03)
Foreword
rd ,
This Technical Specification has been produced by the 3' Generation Partnership Project (3GPP).
The contents of the present document are subject to continuing work within the TSG and may change following formal
TSG approval. Should the TSG modify the contents of the present document, it will be re-released by the TSG with an
identifying change of release date and an increase in version number as follows:
Version x.y.z
where:
X the first digit:
1 presented to TSG for information;
2 presented to TSG for approval;
3 or greater indicates TSG approved document under change control.
y the second digit is incremented for all changes of substance, i.e. technical enhancements, corrections,
updates, etc.
z the third digit is incremented when editorial only changes have been incorporated in the document.
£75/
3GPP TS 33.1 03 version 4.0.0 Release 4 5 ETSI TS 1 33 1 03 V4.0.0 (2001 -03)
1 Scope
This technical specification defines how elements of the 3G-security architecture are to be integrated into the following
entities of the system architecture.
Home Environment Authentication Centre (HE/AuC)
- Serving Network Visited Location Register (VLR/SGSN)
- Radio Network Controller (RNC)
- Mobile station User Identity Module (UIM)
- Mobile Equipment (ME)
This specification is derived from 3G "Security architecture". [1]
The structure of this technical specification is a series of tables, which describe the security information and
cryptographic functions to be stored in the above entities of the 3G system.
For security information, this is in terms of multiplicity, lifetime, parameter length and whether mandatory or optional.
For the cryptographic functions, the tables also include an indication of whether the implementation needs to be
standardised or can be proprietary.
The equivalent information for the alternative Temporary Key proposal is included in an appendix to this document.
References
The following documents contain provisions which, through reference in this text, constitute provisions of the present
document.
• References are either specific (identified by date of publication, edition number, version number, etc.) or
non-specific.
• For a specific reference, subsequent revisions do not apply.
• For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP document (including
a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same
Release as the present document.
[1] 3GPP TS 33.102: "3rd Generation Partnership Project; Technical Specification Group Services
and System Aspects; 3G Security; 3G Security Architecture".
3 Definitions, symbols, abbreviations and conventions
3.1 Definitions
For the purposes of the present document, the following definitions apply:
Authentication vector: either a quintet or a triplet.
Confidentiality: The property that information is not made available or disclosed to unauthorised individuals, entities
or processes.
Data integrity: The property that data has not been altered in an unauthorised manner.
Data origin authentication: The corroboration that the source of data received is as claimed.
£75/
3GPP TS 33.1 03 version 4.0.0 Release 4 6 ETSI TS 1 33 1 03 V4.0.0 (2001 -03)
Entity authentication: The provision of assurance of the claimed identity of an entity.
GSM Entity authentication and key agreement: Entity authentication according to GSM 03.20.
GSM security context: a state that is established between a user and a serving network domain usually as a result of
the execution of GSM AKA. At both ends "GSM security context data" is stored, that consists at least of the GSM
cipher key Kc and the cipher key sequence number CKSN.
GSM subscriber: a mobile station that consists of user equipment with a SIM inserted.
Key freshness: A key is fresh if it can be guaranteed to be new, as opposed to an old key being reused through actions
of either an adversary or authorised party.
Mobile station, user: the combination of user equipment and a user access module.
Quintet, UMTS authentication vector: temporary authentication data that enables an MSC/VLR or SGSN to engage
in UMTS AKA with a particular user. A quintet consists of five elements: a) a network challenge RAND, b) an
expected user response XRES, c) a cipher key CK, d) an integrity key IK and e) a network authentication token AUTN.
SIM - GSM Subscriber Identity Module. In a security context, this module is responsible for performing GSM
subscriber authentication and key agreement. This module is not capable of handling UMTS authentication nor storing
UMTS style keys.
Temporary authentication data: either UMTS or GSM security context data or UMTS or GSM authentication
vectors.
Triplet, GSM authentication vector: temporary authentication data that enables an MSC/VLR or SGSN to engage in
GSM AKA with a particular user. A triplet consists of three elements: a) a network challenge RAND, b) an expected
user response SRES and c) a cipher key Kc.
User access module: either a USIM or a SIM
USIM - User Services Identity Module. In a security context, this module is responsible for performing UMTS
subscriber and network authentication and key agreement. It should also be capable of performing GSM authentication
and key agreement to enable the subscriber to roam easily into a GSM Radio Access Network.
UMTS Entity authentication and key agreement: Entity authentication according to this specification.
UMTS security context: a state that is established between a user and a serving network domain as a result of the
execution of UMTS AKA. At both ends "UMTS security context data" is stored, that consists at least of the UMTS
cipher/integrity keys CK and IK and the key set identifier KSI.
UMTS subscriber: a mobile station that consists of user equipment with a USIM inserted.
3.2 Symbols
For the purposes of the present document, the following symbols apply:
II Concatenation
® Exclusive or
f 1 Message authentication function used to compute MAC
f 1 * Message authentication function used to compute MAC-S
f2 Message authentication function used to compute RES and XRES
f3 Key generating function used to compute CK
f4 Key generating function used to compute IK
f5 Key generating function used to compute AK in normal operation
f5* Key generating function used to compute AK for re-synchronisation
f6 Encryption function used to encrypt the IMSI
f7 Decryption function used to decrypt the IMSI (=f6"')
f8 Integrity algorithm
f9 Confidentiality algorithm
flO Deriving function used to compute TEMSI
K Long-term secret key shared between the USIM and the AuC
£75/
3GPP TS 33.103 version 4.0.0 Release 4
ETSI TS 133 103 V4.0.0 (2001-03)
3.3 Abbreviations
For the purposes of the present document, the following abbreviations apply:
AK Anonymity Key
AKA Authentication and key agreement
AMF Authentication management field
AUTN Authentication Token
AV Authentication Vector
CK Cipher Key
CKSN Cipher key sequence number
CS Circuit Switched
DsK(x)(data) Decryption of "data" with Secret Key of X used for signing
EKsxY(i)(data) Encryption of "data" with Symmetric Session Key #i for sending data from X to Y
EpK(X)(data) Encryption of "data" with Public Key of X used for encryption
EMSI Encrypted Mobile Subscriber Identity
EMSIN Encrypted MSIN
Hash(data) The result of applying a collision-resistant one-way hash-function to "data"
HE Home Environment
HLR Home Location Register
IK Integrity Key
IMSI International Mobile Subscriber Identity
IV Initialisation Vector
KACx Key Administration Centre of Network X
KSxY(i) Symmetric Session Key #i for sending data from X to Y
KSI Key Set Identifier
KSS Key Stream Segment
LAI Location Area Identity
MAP Mobile Application Part
MAC Message Authentication Code
MAC-A The message authentication code included in AUTN, computed using fl
MS Mobile Station
MSC Mobile Services Switching Centre
MSIN Mobile Station Identity Number
MT Mobile Termination
NEx Network Element of Network X
PS Packet Switched
P-TMSI Packet-TMSI
Q Quintet, UMTS authentication vector
RAI Routing Area Identifier
RAND Random challenge
RNDx Unpredictable Random Value generated by X
SQN Sequence number
SQNuic Sequence number user for enhanced user identity confidentiality
SQNhe Sequence number counter maintained in the HLR/AuC
SQNms Sequence number counter maintained in the USIM
SGSN Serving GPRS Support Node
SIM (GSM) Subscriber Identity Module
SN Serving Network
T Triplet, GSM authentication vector
TE Terminal Equipment
TEMSI Temporary Encrypted Mobile Subscriber Identity used for paging instead of IMSI
Textl Optional Data Field
Text2 Optional Data Field
Texts Public Key algorithm identifier and Public Key Version Number (eventually included in Public
Key Certificate)
TMSI Temporary Mobile Subscriber Identity
TTP Trusted Third Party
UE User equipment
UFA UMTS Encryption Algorithm
UIA UMTS Integrity Algorithm
£75/
3GPP TS 33.103 version 4.0.0 Release 4
ETSI TS 133 103 V4.0.0 (2001-03)
UIDN User Identity Decryption Node
USIM User Services Identity Module
VLR Visitor Location Register
X Network Identifier
XEMSI Extended Encrypted Mobile Subscriber Identity
XRES Expected Response
Y Network Identifier
3.4
Conventions
All data variables in this specification are presented with the most significant substring on the left hand side and the
least significant substring on the right hand side. A substring may be a bit, byte or other arbitrary length bitstring.
Where a variable is broken down into a number of substrings, the leftmost (most significant) substring is numbered 0,
the next most significant is numbered 1, and so on through to the least significant.
4.1
Access link security
Functional network architecture
Figure 1 shows the functional security architecture of UMTS.
Figure 1 : UMTS functional security architecture
The vertical bars represent the network elements:
In the user domain:
USIM (User Service Identity Module): an access module issued by a HE to a user;
UE (User Equipment);
In the serving network (SN) domain:
RNC (Radio Network Controller);
VLR (Visited Location Register), also the SGSN;
£75/
3GPP TS 33.1 03 version 4.0.0 Release 4 9 ETSI TS 1 33 1 03 V4.0.0 (2001 -03)
In the home environment (HE) domain:
HLR/AuC;
UIDN.
The horizontal hnes represent the security mechanisms:
EUIC: mechanism for enhanced user identity confidentiahty (optional, between user and HE);
UIC: conventional mechanism for user identity confidentiality (between user and serving network);
AKA: the mechanism for authentication and key agreement, including the functionality to trigger a re-
authentication by the user, i.e., to control the access key pair lifetime;
DC: the mechanism for data confidentiality of user and signalling data;
DI: the mechanism for data integrity of signalling data;
DEC: the mechanism for network-wide data confidentiality.
In the remaining section of this specification we describe what data elements and functions need to be implemented in
each of the above network elements for each of the above mechanisms and functions.
4.2 User services identity module
4.2.1 Void
4.2.2 Authentication and key agreement (AKAusim)
The USIM shall support the UMTS mechanism for authentication and key agreement described in 6.3 of 3G TS 33. 102.
The following data elements need to be stored on the USIM:
a) K: a permanent secret key;
b) SQNms: a counter that is equal to the highest sequence number SQN in an AUTN parameter accepted by the
user;
c) RANDms^ the random challenge which was received together with the last AUTN parameter accepted by the
user. It is used to calculate the re-synchronisation message together with the highest accepted sequence number
(SQNms);
d) KSI: key set identifier;
e) THRESHOLDc: a threshold defined by the HE to trigger re-authentication and to control the cipher key lifetime;
f) CK The access link cipher key established as part of authentication;
g) IK The access link integrity key established as part of authentication;
h) HFNms: Stored Hyper Frame Number provides the Initialisation value for most significant part of COUNT-C and
COUNT-I. The least significant part is obtained from the RRC sequence number;
i) AMP: A 16-bit field used Authentication Management. The use and format are unspecified in the architecture
but examples are given in an informative annex;
j) The GSM authentication parameter and GSM cipher key derived from the UMTS to GSM conversion functions.
Table 3 provides an overview of the data elements stored on the USIM to support authentication and key agreement.
£75/
3GPP TS 33.103 version 4.0.0 Release 4
10
ETSI TS 133 103 V4.0.0 (2001-03)
Table 3: USIM - Authentication and key agreement - Data elements
Symbol
Description
Multiplicity
Lifetime
Length
Mandatory /
Optional
K
Permanent secret
l<ey
1 (note 1 )
Permanent
128 bits
Mandatory
SQNms
Sequence number
counter
1
Updated when
AKA protocol is
executed
48 bits
Mandatory
WINDOW (option
1)
accepted sequence
number array
1
Updated when
AKA protocol is
executed
1 to 1 00 bits
Optional
LIST
(option 2)
Ordered list of
sequence numbers
received
1
Updated when
AKA protocol is
executed
32-64 bits
Optional
RANDms
Random challenge
received by the
user.
1
Updated when
AKA protocol is
executed
128 bits
Mandatory
KSI
Key set identifier
1
Updated when
AKA protocol is
executed
3 bits
Mandatory
THRESHOLDc
Threshold value for
ciphering
1
Permanent
32 bits
Optional
CK
Cipher key
1
Updated when
AKA protocol is
executed
128 bits
Mandatory
IK
Integrity key
1
Updated when
AKA protocol is
executed
128 bits
Mandatory
HFNmS:
Initialisation value
for most significant
part for COUNT-C
and forCOUNT-l
1
Updated when
connection is
released
25 bits
Mandatory
AMF
Authentication
Management Field
(indicates the
algorithm and key
in use)
1
Updated when
AKA protocol is
executed
16 bits
Mandatory
RANDg
GSM
authentication
parameter from
conversion function
1
Updated when
GSM AKA or
UMTSAKA
protocol is
executed
As for GSM
Optional
SRES
GSM
authentication
parameter from
conversion function
1
Updated when
GSM AKA or
UMTSAKA
protocol is
executed
As for GSM
Optional
Kc
GSM cipher Key
1
Updated when
GSM AKA or
UMTS AKA
protocol is
executed
As for GSM
Optional
NOTE 1 : HE policy may dictate more than one, the active key signalled using the AMF function.
The following cryptographic functions need to be implemented on the USIM:
f 1 : a message authentication function for network authentication;
fl *: a message authentication function for support to re-synchronisation;
f2: a message authentication function for user authentication;
G: a key generating function to derive the cipher key;
f4: a key generating function to derive the integrity key;
£75/
3GPP TS 33.103 version 4.0.0 Release 4
11
ETSI TS 133 103 V4.0.0 (2001-03)
f5: a key generating function to derive the anonymity key for normal operation;
f5*: a key generating function to derive the anonymity key for re-synchronisation;
- c2: Conversion function for interoperation with GSM from XRES (UMTS) to SRES (GSM);
- c3: Conversion function for interoperation with GSM from Ck and IK (UMTS) to Kc (GSM).
Figure 2 provides an overview of the data integrity, data origin authentication and verification of the freshness by the
USIM of the RAND and AUTN parameters received from the VLR/SGSN, and the derivation of the response RES, the
cipher key CK and the integrity key IK. Note that the anonymity Key (AK) is optional.
RAND
f5
AK
SQN e AK
SQN
AUTN
AMF
MAC
fl
ni
f2
XMAC
f3
RES CK
f4
5 r ^r ^
IK
Verify MAC = XMAC
Verify SQN > SQNhe
Figure 2: User authentication function in the USIIVI
Figure 3 provides an overview of the generation in the USIM of a token for re-synchronisation AUTS.
a) The USIM computes MAC-S = fl*K(SQNMs H RAND II AMF*), whereby AMF* is a defauh value for AMF
used in re-synchronisation.
b) If SQNms is to be concealed with an anonymity key AK, the USIM computes AK = f5K(RAND), and the
concealed counter value is then computed as SQNms ® AK.
c) The re-synchronisation token is constructed as AUTS = SQNms [® AK] II MAC-S.
SQNms r
1 1
1 1
•
SQN
1
RAND
\MF* ►
^
^.r
1
T
fs
. _ _ _ .
1
t
AK
1
fl*
xor ]
M.
T
\C-S
1
1
t
[ms ® AK
AUTS = SQNms [® AK] II MAC-S
Figure 3: Generation of a tolten for re-synchronisation AUTS (note 1)
NOTE 1: The lengths of AUTS and MAC-S are specified in table 20.
£75/
3GPP TS 33.103 version 4.0.0 Release 4
12
ETSI TS 133 103 V4.0.0 (2001-03)
Table 4 provides a summary of the cryptographic functions implemented on the USIM to support authentication and
key agreement.
Table 4: USIM - Authentication and key agreement - Cryptographic functions
Symbol
Description
Multiplicity
Lifetime
Standardised /
Proprietary
Mandatory / Optional
f1
Network authentication
function
Permanent
Proprietary
Mandatory
f1*
IVIessage autlientication
function for
synchronisation
Permanent
Proprietary
Mandatory
f2
User authentication
function
Permanent
Proprietary
Mandatory
f3
Cipher l<ey generating
function
Permanent
Proprietary
Mandatory
f4
Integrity l<ey generating
function
Permanent
Proprietary
Mandatory
f5
Anonymity l<ey
generating function (for
normal operation)
Permanent
Proprietary
Optional
f5*
Anonymity key
generating function (for
re-synchronisation)
Permanent
Proprietary
Optional
c2 and c3
Conversion functions
for interoperation with
GSM
1 of each
Permanent
Standard
Optional
4.3 User equipment
4.3.1 User identity confidentiality (UICue)
The UE shall support the UMTS conventional mechanism for user identity confidentiality described in 6. 1 of 3G TS
33.102.
The UE shall store the following data elements:
TMUI-CS: a temporary identity allocated by the CS core network;
LAI: a location area identifier;
the TMUI-PS: a temporary identity allocated by the PS core network;
the RAJ: a routing area identifier
£75/
3GPP TS 33.103 version 4.0.0 Release 4
13
ETSI TS 133 103 V4.0.0 (2001-03)
Table 5: UE - User Identity Confidentiality - Data elements
Symbol
Description
IVIultiplicity
Lifetime
Length
IVIandatory /
Optional
TIVIUI-CS
Temporary user
identity
1 per user
Updated when
TIVIUI allocation
protocol is executed
by CS core network
As per GSM TMSI
Mandatory
LAI
Location area
identity
1 per user
Updated when
TMUI allocation
protocol is executed
by CS core network
Mandatory
TIVIUI-PS
Temporary user
identity
1 per user
Updated when
TMUI allocation
protocol is executed
by PS core network
Mandatory
RAI
Routing area
identity
1 per user
Updated when
TIVIUI allocation
protocol is executed
by PS core network
Mandatory
4.3.2 Data confidentiality (DCue)
The UE shall support the UMTS mechanism for confidentiality of user and signalling data described in 6.6 of 3G TS
33.102.
The UE shall store the following data elements:
a) UEA-MS: the ciphering capabilities of the UE;
b) CK: the cipher key;
c) UEA: the selected ciphering function;
In addition, when in dedicated mode:
d) COUNT-Cup: a time varying parameter for synchronisation of ciphering for the uplink;
e) COUNT-Cdown: a time varying parameter for synchronisation of ciphering for the downlink;
f) BEARER: a radio bearer identifier;
g) DIRECTION: An indication of the direction of transmission uplink or downlink to ensure a different cipher is
applied.
£75/
3GPP TS 33.103 version 4.0.0 Release 4
14
ETSI TS 133 103 V4.0.0 (2001-03)
Table 6 provides an overview of the data elements stored on the UE to support the mechanism for data confidentiality:
Table 6: UE - Data Confidentiality - Data elements
Symbol
Description
Multiplicity
Lifetime
Length
Mandatory /
Optional
UEA-MS
Ciphering
capabilities of the
UE
1 per UE
Permanent
16 bits
Mandatory
CK
Cipher key
1 per mode
Updated at
execution of AKA
protocol
128 bits
Mandatory
UEA
Selected ciphering
capability
1 per UE
Updated at
connection
establishment
4 bits
Mandatory
count-Cup
Time varying
parameter for
synchronisation of
ciphering
1 per radio bearer
Lifetime of a radio
bearer
32 bits
Mandatory
COUNT-CdowN
Time varying
parameter for
synchronisation of
ciphering
1 per radio bearer
Lifetime of a radio
bearer
32 bits
Mandatory
BEARER
Radio bearer
identifier
1 per radio bearer
Lifetime of a radio
bearer
5 bits
Mandatory
DIRECTION
An indication of the
direction of
transmission uplink
or downlink
1 per radio bearer
Lifetime of a radio
bearer
1 bit
Mandatory
The following cryptographic functions shall be implemented on the UE:
f8: access link encryption function (note 1).
- c4: Conversion function for interoperation with GSM from Kc (GSM) to CK (UMTS).
NOTE 1: The security architecture TS 33.102 refers to UEA , f8 is a specific implementation of UEA as defined in
Cryptographic algorithm requirements TS 33.105.
Table 7 provides an overview of the cryptographic functions implemented on the UE to support the mechanism for data
confidentiality.
Table 7: UE - Data Confidentiality - Cryptographic functions
Symbol
Description
Multiplicity
Lifetime
Standardised /
Proprietary
Mandatory / Optional
f8
Access link encryption
function
1-16
Permanent
Standardised
One at least is
mandatory
c4
Conversion function for
interoperation with GSM
1
Permanent
Standardised
Optional
4.3.3 Data integrity (DIue)
The UE shall support the UMTS mechanism for integrity of signalling data described in 6.4 of 3G TS 33.102.
The UE shall store the following data elements:
a) UIA-MS: the integrity capabilities of the UE.
In addition, when in dedicated mode:
b) UIA: the selected UMTS integrity algorithm;
c) IK: an integrity key;
£75/
3GPP TS 33.103 version 4.0.0 Release 4
15
ETSI TS 133 103 V4.0.0 (2001-03)
d) COUNT-Iup: a time varying parameter for synchronisation of data integrity in the uphnk direction;
e) COUNT-Idown^ a time varying parameter for synchronisation of data integrity in the downhnk direction;
f) DIRECTION An indication of the direction of transmission uplink or downlink to ensure a different cipher is
applied;
g) FRESH: a network challenge;
Table 8 provides an overview of the data elements stored on the UE to support the mechanism for data confidentiality:
Table 8: UE - Data Integrity - Data elements
Symbol
Description
Multiplicity
Lifetime
Length
Mandatory /
Optional
UIA-MS
Ciphering
capabilities of the
UE
1 perUE
Permanent
16 bits
Mandatory
UIA
Selected ciphering
capability
1 perUE
Updated at
connection
establishment
4 bits
Mandatory
IK
Integrity key
1 per mode
Updated by the
execution of the
AKA protocol
128 bits
Mandatory
DIRECTION
An indication of the
direction of
transmission uplink
or downlink
1 per radio bearer
Lifetime of a radio
bearer
1 bit
Mandatory
COUNT-lup
Synchronisation
value
1
Lifetime of a
connection
32 bits
Mandatory
COUNT-Idown
Synchronisation
value
1
Lifetime of a
connection
32 bits
Mandatory
FRESH
Network challenge
1
Lifetime of a
connection
32 bits
Mandatory
MAC-I
XMAC-I
Message
authentication code
1
Updated by the
execution of the
AKA protocol
32 bits
Mandatory
The following cryptographic functions shall be implemented on the UE:
f9: access link integrity function (note 1).
- c5: Conversion function for interoperation with GSM Kc (GSM) > IK (UMTS)
NOTE 1: The security architecture TS 33.102 refers to UIA, f9 is a specific implementation of UIA as defined in
Cryptographic algorithm requirements TS 33.105.
Table 9 provides an overview of the cryptographic functions implemented in the UE:
Table 9: UE - Data Integrity - Cryptographic functions
Symbol
Description
Multiplicity
Lifetime
Standardised /
Proprietary
Mandatory / Optional
f9
Access link data
integrity function
1-16
Permanent
Standardised
One at least is
mandatory
c5
Conversion function for
interoperation with GSM
1
Permanent
Standardised
Optional
£75/
3GPP TS 33.103 version 4.0.0 Release 4
16
ETSI TS 133 103 V4.0.0 (2001-03)
4.3.4 Void
4.4
Radio network controller
4.4.1 Data confidentiality (DCrnc)
The RNC shall support the UMTS mechanism for data confidentiality of user and signalling data described in 6.6 of 3G
TS 33.102.
The RNC shall store the following data elements:
a) UEA-RNC: the ciphering capabilities of the RNC;
In addition, when in dedicated mode:
b) UEA: the selected ciphering function;
c) CK: the cipher key;
d) COUNT-Cup: a time varying parameter for synchronisation of ciphering for the uplink;
e) COUNT-Cdown: a time varying parameter for synchronisation of ciphering for the downlink;
f) DIRECTION: An indication of the direction of transmission uplink or downlink to ensure a different cipher is
applied
g) BEARER: a radio bearer identifier.
Table 10 provides an overview of the data elements stored in the RNC to support the mechanism for data
confidentiality:
Table 10: RNC - Data Confidentiality - Data elements
Symbol
Description
Multiplicity
Lifetime
Length
Mandatory /
Optional
UEA-RNC
Ciphering
capabilities of the
UE
1
Permanent
16 bits
IVIandatory
UEA
Selected ciphering
capability
1 per user and
per mode
Updated at
connection
establishment
4 bits
Mandatory
CK
Cipher key
1 per user and per
mode
Updated at
connection
establishment
128 bits
IVIandatory
count-Cup
Time varying
parameter for
synchronisation of
ciphering
1 per radio bearer
Lifetime of a radio
bearer
32 bits
Mandatory
COUNT-CdowN
Time varying
parameter for
synchronisation of
ciphering
1 per radio bearer
Lifetime of a radio
bearer
32 bits
Mandatory
BEARER
Radio bearer
identifier
1 per radio bearer
Lifetime of a radio
bearer
5 bits
Mandatory
DIRECTION
An indication of the
direction of
transmission uplink
or downlink
1 per radio bearer
Lifetime of a radio
bearer
1 bit
Mandatory
The following cryptographic functions shall be implemented in the RNC:
f8: access link encryption function.
£75/
3GPP TS 33.103 version 4.0.0 Release 4
17
ETSI TS 133 103 V4.0.0 (2001-03)
Table 1 1 provides an overview of the cryptographic functions that shall be implemented in the RNC:
Tablell : RNC - Data integrity - Cryptographic functions
Symbol
Description
IVIultiplicity
Lifetime
Standardised /
Proprietary
Mandatory / Optional
f9
Access link data
integrity function
1-16
Permanent
Standardised
One at least is
mandatory
4.4.2 Data integrity (Dime)
The RNC shall support the UMTS mechanism for data integrity of signalling data described in 6.4 of 3G TS 33.102.
The RNC shall store the following data elements:
a) UIA-RNC: the integrity capabilities of the RNC;
In addition, when in dedicated mode:
b) UIA: the selected UMTS integrity algorithm;
c) IK: an integrity key;
d) COUNT-Iup: a time varying parameter for synchronisation of data integrity in the uplink direction;
e) COUNT-Idown^ ^ time varying parameter for synchronisation of data integrity in the downlink direction;
f) DIRECTION An indication of the direction of transmission uplink or downlink to ensure a different cipher is
applied;
g) FRESH: an MS challenge.
Table 12 provides an overview of the data elements stored on the UE to support the mechanism for data confidentiality:
Table12: UE - Data Integrity - Data elements
Symbol
Description
Multiplicity
Lifetime
Length
Mandatory /
Optional
UIA-RNC
Data integrity
capabilities of the
RNC
Permanent
16 bits
Mandatory
UIA
Selected data
integrity capability
1 per user
Lifetime of a
connection
4 bits
Mandatory
IK
Integrity key
1 per user
Lifetime of a
connection
128 bits
Mandatory
DIRECTION
An indication of the
direction of
transmission uplink
or downlink
1 per radio bearer
Lifetime of a radio
bearer
1 bit
Mandatory
COUNT-lup
Synchronisation
value
Lifetime of a
connection
32 bits
Mandatory
COUNT-Idown
Synchronisation
value
Lifetime of a
connection
32 bits
Mandatory
FRESH
MS challenge
Lifetime of a
connection
32 bits
Mandatory
MAC-I
XMAC-I
Message
authentication code
Updated by the
execution of the
AKA protocol
32 bits
Mandatory
The following cryptographic functions shall be implemented on the UE:
f9: access link integrity function.
£75/
3GPP TS 33.103 version 4.0.0 Release 4
18
ETSI TS 133 103 V4.0.0 (2001-03)
Table 13 provides an overview of the cryptographic functions implemented in the UE:
Table 13: UE - Data Integrity - Cryptographic functions
Symbol
Description
IVIultiplicity
Lifetime
Standardised /
Proprietary
Mandatory / Optional
f9
Access link data
integrity function
1-16
Permanent
Standardised
One at least is
mandatory
4.5 SN (or MSC/VLR or SGSN)
4.5.1 User identity confidentiality (UICsn)
The VLR (equivalently the SGSN) shall support the UMTS conventional mechanism for user identity confidentiality
described in 6.1 of 3GTS 33.102.
The VLR shall store the following data elements:
TMUI-CS: a temporary identity allocated by the CS core network;
LAI: a location area identifier;
Table 14: VLR - User Identity Confidentiality - Data elements
Symbol
Description
IVIultiplicity
Lifetime
Length
Mandatory / Optional
TMUI-CS
Temporary user Identity
2 per user
Updated when TMUI
allocation protocol is
executed by CS core
network
Mandatory
LAI
Location area identity
2 per user
Updated when TMUI
allocation protocol is
executed by CS core
network
Mandatory
Equivalently, the SGSN shall store the following data elements:
TMUI-PS: a temporary identity allocated by the PS core network;
RAI: a routing area identifier.
Table 15: SGSN - User Identity Confidentiality - Data elements
Symbol
Description
Multiplicity
Lifetime
Length
Mandatory / Optional
TMUI-PS
Temporary user identity
1 per user
Updated when TMUI
allocation protocol is
executed by PS core
network
Mandatory
RAI
Routing area identity
1 per user
Updated when TMUI
allocation protocol is
executed by PS core
network
Mandatory
£75/
3GPP TS 33.103 version 4.0.0 Release 4
19
ETSI TS 133 103 V4.0.0 (2001-03)
4.5.2 Void
4.5.3 Authentication and key agreement ( AKAsn)
The VLR (equivalently the SGSN) shall support the UMTS mechanism for authentication and key agreement described
in6.3 of 3GTS 33.102.
The following data elements need to be stored in the VLR (and SGSN):
a) AV: Authentication vectors;
Table 16 provides an overview of the composition of an authentication vector
Table 16: Composition of an authentication vector
Symbol
Description
Multiplicity
Length
RAND
Networl< challenge
1
128
XRES
Expected response
1
32-128
CK
Cipher key
1
128
IK
Integrity key
1
128
AUTN
Authentication token
1 that consists of:
128
SQN
or
SQN e AK
Sequence number
or
Concealed sequence number
1 per AUTN
48
AMF
Authentication IVIanagement Field
1 per AUTN
16
IVIAC-A
Message authentication code for network authentication
1 per AUTN
64
b) KSI: Key set identifier;
c) CK: Cipher key;
d) IK: Integrity key;
e) GSM AV: Authentication vectors for GSM.
Table 17 provides an overview of the data elements stored in the VLR/SGSN to support authentication and key
agreement.
Table 17: VLR/SGSN - Authentication and key agreement - Data elements
Symbol
Description
Multiplicity
Lifetime
Length
Mandatory /
Optional
UMTS AV
UMTS
Authentication
vectors
several per user,
SN dependent
Depends on many
things
528-640
Mandatory
KSI
Key set identifier
1 per user
Updated when AKA
protocol is executed
3 bits
Mandatory
CK
Cipher key
1 per user
Updated when AKA
protocol is executed
128 bits
Mandatory
IK
Integrity key
1 per user
Updated when AKA
protocol is executed
128 bits
Mandatory
GSMAV
GSM Authentication
vectors
As for GSM
As for GSM
As for GSM
Qptional
The following cryptographic functions shall be implemented in the VLR/SGSN:
- c4: Conversion function for interoperation with GSM from Kc (GSM) to CK (UMTS);
- c5: Conversion function for interoperation with GSM from Kc (GSM) to IK (UMTS).
£75/
3GPP TS 33.103 version 4.0.0 Release 4
20
ETSI TS 133 103 V4.0.0 (2001-03)
Table 1 8 provides an overview of the cryptographic functions implemented on the UE to support the mechanism for
data confidentiality.
Table 18: VLR/SGSN Authentication and Key Agreement - Cryptographic functions
Symbol
Description
Multiplicity
Lifetime
Standardised /
Proprietary
Mandatory / Optional
g4
Conversion function for
interoperation with GSIVl
1
Permanent
Standardised
Optional
c5
Conversion function for
interoperation with GSIVl
1
Permanent
Standardised
Optional
4.6 Home location register / Authentication centre
4.6.1 Authentication and key agreement (AKAhe)
The HLR/AuC shall support the UMTS mechanism for authentication and key agreement described in 6.3 of 3G TS
33.102.
The following data elements need to be stored in the HLR/AuC:
a) K: a permanent secret key;
b) SQNhe: a counter used to generate SQN from;
c) AV: authentication vectors computed in advance;
Table 19 provides an overview of the data elements stored on the HLR/AuC to support authentication and key
agreement.
Table 19: HLR/AuC - Authentication and key agreement - Data elements
Symbol
Description
Multiplicity
Lifetime
Length
Mandatory /
Optional
K
Permanent secret
key
1
Permanent
128 bits
Mandatory
SQNhe
Sequence number
counter
1
Updated when AVs
are generated
48 bits
Mandatory
UMTS AV
UMTS
Authentication
vectors
HE option
Updated when AVs
are generated
544-640 bits
Optional
GSMAV
GSM Authentication
vectors
HE option that
consists of:
Updated when AVs
are generated
As GSM
Optional
RAND
GSM Random
challenge
128 bits
Optional
SRES
GSM Expected
response
32 bits
Optional
Kg
GSM cipher key
64 bits
Optional
Table 20 shows how the construction of authentication token for synchronisation failure messages used to support
authentication and key agreement.
Table 20: Composition of an authentication tolten for synchronisation failure messages
Symbol
Description
Multiplicity
Length
AUTS
Synchronisation Failure authentication token
that consists of:
112
SON
Sequence number
1 per AUTS
48
MAC-S
Message authentication code for Synchronisation
Failure messages
1 per AUTS
64
£75/
3GPP TS 33.103 version 4.0.0 Release 4
21
ETSI TS 133 103 V4.0.0 (2001-03)
Figure 4 provides an overview of how authentication vectors are generated in the HLR/AuC.
Generate SQN
SQN AMF
fl
T
f2
f3
MAC
XRES
CK
Generate RAND
■^
f4
IK
RAND
f5
t I I I
AK
AUTN := SQN AK II AMF II MAC
AV := RAND II XRES II CK II IK II AUTN
Figure 4: Generation of an authentication vector
The following cryptographic functions need to be implemented in the HLR/AuC:
f 1 : a message authentication function for network authentication;
fl *: a message authentication function for support to re-synchronisation;
f2: a message authentication function for user authentication;
G: a key generating function to derive the cipher key;
f4: a key generating function to derive the integrity key;
f5: a key generating function to derive the anonymity key for normal operation;
f5*: a key generating function to derive the anonymity key for re-synchronisation;
- cl : Conversion function for interoperation with GSM from RAND (UMTS) > RAND (GSM);
- c2: Conversion function for interoperation with GSM from XRES (UMTS) to SRES (GSM);
- c3: Conversion function for interoperation with GSM from CK and IK (UMTS) to Kc (GSM).
£75/
3GPP TS 33.103 version 4.0.0 Release 4
22
ETSI TS 133 103 V4.0.0 (2001-03)
Table 21 provides a summary of the cryptographic functions implemented on the USIM to support authentication and
key agreement.
Table 21 : HLR/AuC - Authentication and key agreement - Cryptographic functions
Symbol
Description
Multiplicity
Lifetime
Standardised /
Proprietary
Mandatory / Optional
f1
Network authentication
function
Permanent
Proprietary
Mandatory
f1*
IVIessage autlientication
function for
synchronisation
Permanent
Proprietary
Mandatory
f2
User authentication
function
Permanent
Proprietary
Mandatory
f3
Cipher l<ey generating
function
Permanent
Proprietary
Mandatory
f4
Integrity l<ey generating
function
Permanent
Proprietary
Mandatory
f5
Anonymity l<ey
generating function (for
normal operation)
Permanent
Proprietary
Optional
f5*
Anonymity key
generating function (for
re-synchronisation)
Permanent
Proprietary
Optional
A3/A8
GSM user
authentication functions
Permanent
Proprietary
Optional
c1 , c2 and
c3
Functions for
converting UMTS AV's
to GSM AV's
1 for each
Permanent
Standard
Optional
4.7
Void
Void
Void
£75/
3GPP TS 33.103 version 4.0.0 Release 4
23
ETSI TS 133 103 V4.0.0 (2001-03)
Annex A (informative):
Change history
Change history
TSGSA
#
Version
CR
Tdoc SA
New
Version
Subject/Comment
S 05
2.0.0
3.0.0
Approved at SA#5 and placed under TSG SA Change Control
S 06
3.0.0
001 r1
SP-99586
3.1.0
Refinement of Enhanced User Identity Confidentiality
S 06
3.0.0
002r1
SP-99586
3.1.0
Corrections to figure 1
S 06
3.0.0
004
SP-99586
3.1.0
Change length of KSI (and other miscellaneous corrections)
S 07
3.1.0
005r2
SP-000075
3.2.0
Refinement EUlC (according to TS 33.102)
S 07
3.1.0
006
SP-000047
3.2.0
Alignment of Integration Guidelines with Security Architecture
S 08
3.2.0
007
SP-000273
3.3.0
Removal of EUlC from 33.103
S 08
3.2.0
008
SP-000273
3.3.0
Removal of MAP Security from 33.103
S 08
3.2.0
009
SP-000271
3.3.0
SQN length
S 09
3.3.0
010
SP-000443
3.4.0
Removal of Network Wide Confidentiality for R99 ( clause 6)
S 09
3.3.0
Oil
SP-000446
3.4.0
Correction to BEARER definition
S 09
3.3.0
012
SP-000445
3.4.0
Computation of the anonymity key for re-synchronlsatlon
SP-11
3.4.0
013
SP-OIOOxz
3.5.0
Add bit ordering convention
SP-11
3.5.0
-
-
4.0.0
Upgrade to Release 4
£75/
3GPP TS 33.103 version 4.0.0 Release 4
24
ETSI TS 133 103 V4.0.0 (2001-03)
History
Document history
V4.0.0
March 2001
Publication
ETSI